Request for feedback - Suricata: An Operator's Guide

Hey folks,

This year, I’ll be working on creating a digital book that is a collection of Suricata best practices. I want to serve as a kind bridge between how Suricata works, how to reduce noise/fase positives/alert fatigue, how suricata rules work, and how to write your own rules. So far, This is a list of chapters/subjects I’ve identified that I definitely want to cover:

NIDS and IDS Evasion history, its influence on design for both Snort and Suricata

Setting up a rule writing/perf testing environment with Dalton

Understanding the importance of sensor placement

Anatomy of a Suricata 5+ rule

What makes a rule good

Understanding rule performance metrics

How to reduce false positives/alert fatigue

Scenarios/exercises involving malware, pcaps and rule writing (a la malware traffic analysis exercises) 

So I don’t know if any of you are familiar with a prior work of mine Building Virtual Machine Labs: A Hands-On Guide, but while I was writing it, I would add new chapters and just share the revisions publicly. After it was all done, I posted it to leanpub and set the minimum price on it to free. I want to do the same thing with this book/guide as well.

So, this is the part where I’m asking you for feedback: What subjects pertaining to suricata or NSM management in general would you want to see covered in such a work? Thank you in advance!

1 Like